When it comes to employee or customer healthcare information, accidents can bankrupt a company. Maintaining a corporate culture of security-first compliance to create a cyber aware workforce prepares and protects your practice or your enterprise from common HIPAA violations associated with employee actions - whether you’re in the healthcare field or not.
“But, I didn’t know.”
It’s no excuse. Whether you’re five or fifty-five, you’ve often responded to an accusation with this sentence. Unfortunately, in the world of data protection, regulators don’t want to hear that phrase. You must know. When it comes to employee or customer healthcare information, accidents can bankrupt a company. Maintaining a corporate culture of security-first compliance to create a cyber aware workforce prepares and protects your practice or your enterprise from common HIPAA violations associated with employee actions - whether you’re in the healthcare field or not.
What is HIPAA?
The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS), administered through the Office of Civil Rights (OCR), to adopt national standards for electronic healthcare information. Extended over the years, HIPAA now incorporates the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.
A short HIPAA summary is that these four rules establish strict guidelines for privacy and security controls over protected health information (PHI). Defined as “individually identifiable health information,” PHI or electronic PHI (ePHI) includes any demographic information, medical history, test or lab results, mental health information, insurance information or other data that identifies a client. However, to fully understand not only what HIPAA is but how it relates to your business, you need a brief overview of the Security Rule and Privacy Rule.
A Simple HIPAA Security Rule Summary
In short, the Security Rule creates a series of guidelines for making sure that healthcare organizations, other covered entities, and business associates safeguard the confidentiality, integrity, and availability of ePHI created, received, maintained, or transmitted. In other words, don’t let someone accidentally access the information or steal it no matter what it is or where it is. As part of this, you need to identify and protect against potential risks that lead to unintended uses or disclosures. Moreover, you need to make sure your employees do the same.
A Simple HIPAA Privacy Rule Summary
Although similar in nature, the HIPAA Privacy Rule focuses on a person’s right to control the use of their information. While you need to secure it, you also need to make sure that you’re not letting anyone have accidental or unauthorized access to it.
Key Differences Between the Security and Privacy Rules
The HIPAA Privacy Rule and HIPAA Security Rules may sound similar, but there are two important distinctions:
- While the Security Rule focuses on electronic information, the Privacy Rule also incorporates spoken and paper information.
- The Privacy Rule focuses on “keeping it quiet” while the Security Rule details specific steps to compliance.
Who Must Comply with HIPAA?
HIPAA applies to you as a “covered entity” if you’re a healthcare provider, health plan, or health care clearinghouse. The HIPAA definition of “business entities” expands that to incorporate third parties who perform functions on behalf of covered entities that use, store, process, or disclose health information for them.
In other words, if you’re looking to expand a software or web application to enable any of the covered entities mentioned above, then you need to be compliant with HIPAA rules.
What Constitutes a HIPAA Violation?
Although HIPAA violations arise in a variety of ways, they all incorporate “someone who shouldn’t know something who learns about it because there weren’t enough protections.” This definition includes everything from employees having too much system access, to a hacker gaining entrance to your system, to someone leaving a piece of paper on a desk or a screen open to view.
Under the Enforcement Rule, OCR can levy fines anywhere from $100 per violation (not exceeding $25,000 annually) to $50,000 per violation (not exceeding $1.5 million annually) for an accidental violation. The penalty minimums increase as you act more willfully when violating the law. In fact, if your actions are too egregious, the Department of Justice can fine you $250,000 and subject you to up to ten years in jail for a data compromise with an intent to sell, transfer or use the information for commercial advantage, personal gain, or malicious harm.
Employer HIPAA Violations: How to Protect Employee Information
Even if you’re not a healthcare provider or business associate (third-party handling healthcare information on behalf of a healthcare provider), you may still be at risk. HIPAA law and employers have a tense relationship. Although employee medical privacy rights mostly fall under the Americans with Disabilities Act (ADA), some fall under HIPAA laws and regulations. Importantly, a few HIPAA guidelines for employers exist.
Don’t Call The Doctor
Whatever you do, never call an employee’s health care service provider. Just don’t do it.
Segregate Medical Documentation
If you require medical exams as part of an employee health program or as a requirement for a job offer, keep medical information segregated from traditional employee records. This can be physical segregation or digital segregation (such as a different server).
Protect ePHI within Self-Insured Healthcare Plans
If you’re using an Administrative Services Only (ASO) plan in which you as the employer pay benefits using your own company funds, then you need to be entirely HIPAA compliant.
Establish Data Handling Practices for Group Health Plan Information
If you’re getting more than summary information from the group health plan, it’s covered by HIPAA and needs protection. Make sure you review the documentation sent to your Human Resources Department and either create new practices or better define what information the group health plan should send you.
Review Company Health Clinics and Employee Assistance Programs
Both of these may be classified as hybrid entities wherein the provider transmits information for payment. As such, if you maintain records like these, you need to lock them down to be compliant.
Never Announce Something (Good or Bad) Classified as a Medical Condition
You may be over the moon that your employee is pregnant or devastated by an employee’s cancer diagnosis. However, unless your employee allows you to disclose, making an announcement to share this information with other staff members or management can be a HIPAA violation.
HIPAA Violation Examples
HIPAA violation stories abound. They can arise from oversharing on social media and lost or stolen devices. Even businesses that are no longer operating are not safe from the consequences of HIPAA violations.
Examples of Social Media HIPAA Violations
Many HIPAA violations involving social media are accidental. For instance, social media comments and posts can violate HIPAA regulations even if they don’t mention a patient by name. In some cases, employees may share photos on social media without realizing that patient information is visible in the background.
One recent example involves a nurse who created a video in which she interviewed coworkers on the challenges they face working throughout the COVID-19 pandemic in April 2020. One coworker noted that if the hospital had the resources it had requested, a particular patient may not have died, referring to the patient by name. This potential violation is currently under investigation at the time of writing.
In another example, an employee from Elite Dental Associates responded to a patient’s review on Yelp, a social media platform for rating and reviewing businesses. The response included sensitive patient information including the patient’s name, treatment plan details, and information about the cost of the treatment and the patient’s insurance. During its investigation of the complaint, the Office of Civil Rights (OCR) found that Elite Dental Associates’ responses to other patient reviews contained similar information. Elite Dental Associates settled the complaint for $10,000.
Examples of HIPAA Violations Resulting from Lost or Stolen Devices
Stolen devices can also lead to HIPAA violations. For instance, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled potential HIPAA violations for $650,000 in 2016 following the theft of a mobile device that contained PHI of hundreds of nursing home residents.
In 2017, Lifespan, Rhode Island’s largest hospital system, notified 20,000 patients that their PHI may have been on an employee’s stolen laptop. In both of these examples, the stolen devices were found to be unencrypted and not password protected.
Examples of “Minimum Necessary” HIPAA Violations
HIPAA requires that PHI is shared only on a “minimum necessary” basis – that is, covered entities and business associates must make a reasonable effort to ensure that only the minimum information necessary to complete a task or perform a job is accessed by or shared with authorized persons, and this is another tricky requirement that can lead to violations. For example, a nurse working in a unit or on a floor should only be given the information necessary to care for the patients they’re responsible for during their shift.
Violations of the minimum necessary requirement are common when dealing with third parties. For instance, sharing more patient information than necessary to process claims with a health insurance provider may constitute a HIPAA violation. A New Jersey psychologist faced allegations of HIPAA violations in 2017 after the practice’s billing manager sent copies of patients’ bills including codes that could reveal diagnoses and treatments to a collections agency. The complaint alleged that the practice failed to consider providing only a transaction ledger or redacting any unnecessary sensitive patient details before sending the information to the collections agency.
Best practices for avoiding these types of potential HIPAA violations include developing clear and comprehensive written security policies, including social media policies, implementing cybersecurity awareness training for employees, and implementing and enforcing robust device management policies, including reporting requirements for lost or stolen devices and remote wiping capabilities to protect sensitive information.
Protect Your Company From HIPAA Violations: A Do/Don't Do Guide
Transparency Is the Foundation of HIPAA Compliance
HIPAA’s detailed control list and risk assessment requirements make your security-first approach difficult. You want to be transparent, but the rules sometimes prevent that. At Zeguro, we value transparency in the way we communicate with our customers, which can also be a guide to how you view medical data transparency:
- Honesty: We’re up front about how well your protections align with HIPAA Security Rule’s requirements.
- Clarity: Our plain language policy templates and training modules remove legalese from the process to help you create HIPAA guidelines for employees.
- Simplicity: We simplify HIPAA compliance with an easy-to-navigate platform and staff who can answer your questions and ease the burden of compliance.
Note: Zeguro is not able to comment on specific HIPAA cases or violations and only provides general advice in its blogs and articles. We are also not able to assist in personal HIPAA questions. For assistance with HIPAA violations, we recommend you contact licensed legal counsel. If you are seeking solutions that can help you meet HIPAA compliance, we offer an integrated cybersecurity and cyber insurance solution that can help secure your organization and protect PHI/ePHI. Learn more here: https://www.zeguro.com/cybersecurity/compliance.
